Formal Requirements for Virtualizable Third Generation Architectures

Formal Requirements for Virtualizable Third Generation Architectures

AuthorsGerald J. Popek and Robert P. Goldberg

Prepared byFazle Elahi Faisal and Tariq Iqbal

IntroductionA virtual machine (VM) is an

efficient, isolated duplicate of a real machine.

A virtual machine monitor (VMM) is a piece of software which◦ Provides an environment for

programs that are identical with the original machine

◦ Allows programs to run an environment such that decrease in speed is insignificant

◦ Occupies the complete control of system resources

Introduction (cont)Contribution of the paper

◦Model of a third generation-like computer has been developed

◦Precise sufficient conditions to test whether an architecture can support virtual machines have been derived

Machine StatesS = <E, M, P,

R>

Processor Mode

Program Counter

Relocation

Register

Executable

StorageState

Machine States (cont)

State • The state S is intended to specify the

current state of the real computer system.• The machine can exist in any one of a

finite number of states where each state has four components.

S = <E, M, P, R>

Processor Mode

Program Counter

Relocation

Register

Executable

StorageState

Machine States (cont)S = <E, M, P,

R>

Processor Mode

Program Counter

Relocation

Register

Executable

StorageState

Executable Storage• Executable storage is a conventional word

or byte addressed memory of size q.• E[i] refers to the contents of the i-th unit of

storage in E• E=E´ iff E[i]=E´[i] for any 0≤i<q

Machine States (cont)S = <E, M, P,

R>

Processor Mode

Program Counter

Relocation

Register

Executable

StorageState

Processor Mode• Operating modes of some computer

architectures that place restrictions on type and scope of operations• Supervisor mode (s)• User mode (u)

Machine States (cont)S = <E, M, P,

R>

Processor Mode

Program Counter

Relocation

Register

Executable

StorageState

Processor Mode• Supervisor mode: The complete

instruction repertoire is available to the processor.

• User mode: The complete instruction repertoire is not available to the processor.

Machine States (cont)S = <E, M, P,

R>

Processor Mode

Program Counter

Relocation

Register

Executable

StorageState

Program Counter • Program counter P is an address relative to

the contents of R (explained in the next slide), which acts as an index into E, indicating the next instruction to be executed.

Machine States (cont)S = <E, M, P,

R>

Processor Mode

Program Counter

Relocation

Register

Executable

StorageState

Relocation Register• Memory addressing is done relative to the

contents of a relocation register.• Relocation register R consists of a tuple (l,

b)• l = absolute address • b = absolute size

Program Status WordThe contents of the triplet <M, P,

R> are often referred to as the program status word (PSW).

Each PSW is assumed to be recorded in one storage location.

E[0] is assumed to store old-PSW.E[1] is assumed to store new-

PSW.

InstructionA instruction is a discrete statement

of a processor that usually specify the arithmetic, addressing, or control functions of registers or memory locations.

Given a set of states C, an instruction i is a function from C to C, i:C→C.

For example, i(S1)=S2, or i(E1, M1, P1, R1) = (E2, M2, P2, R2)

TrapsA trap is a type of interrupt caused by an

exceptional condition, i.e. “memory trap”.A trap automatically saves the current

state of the machine and passes control of a pre-specified routine by changing M, R, P to the values specified in new-PSW location.

Traps (cont)An instruction i is said to trap

if i(E1, M1, P1, R1)=(E2, M2, P2, R2) where◦E2[j]=E1[j], for 0<j<q◦E2[0]=(M1, P1, R1)◦(M2, P2, R2)=E1[1]

The state of the machine is stored in such a way as to be reversible to the point at which the instruction causing the trap.

Memory TrapA memory trap is a trap caused

as a result of an attempt by an instruction to develop an address which is greater than the bounds in R or physical memory. // an instruction produces

address a

if a+1≥q then memory-trap

else if a≥b then memory-trap

else use E[a+l]

Types of InstructionsPrivileged instructionSensitive instruction

◦Control sensitive◦Behavior sensitive Location sensitive Mode sensitive

Innocuous instruction

Privileged InstructionIntuitively, if an

instruction is trapped in user mode, but not trapped in supervisor mode, then the instruction is privileged.

Privileged Instruction (cont)Instruction i is privileged iff for a

pair of states S1=<e, s, p, r> and S2=<e, u, p, r>,◦Both i(S1) and i(S2) do not memory

trap◦i(S2) traps but i(S1) does not

// IBM System/360 LPSW

if M=s then load_PSW

else trap

// Honeywell 6000 LBAR // DEC PDP-10 DATAO APR if M=s then

load_R else

trap

Sensitive InstructionSensitive

instructions are those that interact with hardware.

There are two types of sensitive instruction◦Control sensitive◦Behavior sensitive

Control Sensitive InstructionAn instruction i is control sensitive if

there exists a state S1=<e1, m1, p1, r1> and i(S1)=S2=<e2, m2, p2, r2> such that◦i(S1) does not memory trap◦(a) r1 ≠ r2, or (b) m1 ≠ m2, or (c) both holds

Intuitively, an instruction is control sensitive if it attempts to change relocation register (R), or mode (M), or both.

Behavior Sensitive InstructionBefore we define behavior sensitive

instruction, we need to define the following two operators◦“Å”: We define “Å” such that if r=(l, b),

then r´=r Å x=(l+x, b), such that the relocation part l is shifted by the value of x.

◦“|”: The notation E|R means the contents of the part of the memory that can be accessed from a particular state specified in the relocation register R.

Behavior Sensitive Instruction (cont)Combining “Å” and “|”

◦E | r Å x represents the contents of the memory from [l+x] to [l+b+x]

◦E | r = E´ | r Å x means that E[l+i]=E´[l+x+i] for 0 ≤ i < b

Behavior Sensitive Instruction (cont)An instruction i is behavior sensitive if there exist

an integer x and states◦ S1= <e|r, m1, p, r>◦ S2 = <e|r Å x, m2, p, r Å x>where◦ i(S1)=<e1|r, m1, p1, r>◦ i(S2)=<e2|r Å x, m2, p2, r Å x>◦ Neither i(S1) nor i(S2) memory trapsuch that, (a) e1|r ≠ e2| r Å x, or (b) p1 ≠ p2, or (c) both holds.

An instruction is behavior sensitive if the effect of its execution depends on the value of the relocation register (R), or the mode (M).

Behavior Sensitive Instruction (cont)There are two types of behavior

sensitive instructions◦Location sensitive: An instruction is

location sensitive if its execution behavior depends on its location in real memory.

◦Mode sensitive: An instruction is mode sensitive if its execution behavior depends on the mode of previous instruction space.

Innocuous InstructionAn instruction

is innocuous if it is not sensitive.

Virtual Machine MonitorThe Virtual Machine Monitor

(VMM) is a particular piece of software (called as control program) that exhibits following properties◦Dispatcher◦Allocator◦Interpreter

Virtual Machine Monitor (cont)Dispatcher (D): Dispatcher is the

top level control module of the control program.

Virtual Machine Monitor (cont)Allocator (A): An allocator

decides on allocating the system resources to a virtual machine (VM).

Given a VMM hosts several VMs, it is an allocator’s task to avoid giving the same resource to more than one VM concurrently.

Virtual Machine Monitor (cont)Interpreter: Interpreter simulates the

effect of a privileged instruction, when it is trapped.

There exists one interpreter routine per privileged instruction.

Given vi represents a series of instructions of an interpretive routine, {vi} indicates the set of all interpretive routines, i = 1 to m, where m is the number of privileged instructions.

Control ProgramA control program (CP)

is specified by its three parts: CP=<D, A, {vi}>◦ D: Dispatcher◦ A: Allocator◦ {vi}: Set of interpretive

routinesCP is assumed to run in

supervisor mode whereas all other programs are assumed to run in user mode.

Virtual Machine PropertiesThere are three properties of

interest when any arbitrary program is run while the control program is resident◦Efficiency◦Resource control◦Equivalence

EfficiencyA program running in VMM

environment shows at worst only minor decreases in speed.

All innocuous instructions are executed by the hardware directly.

All innocuous instructions are executed without intervention on the part of the control program.

Resource ControlVMM is in complete control of

system resources.An arbitrary program can not

effect the system resources, i.e. memory.

The allocator of the control program is to be invoked upon any attempt to effect system resources.

EquivalenceVMM provides an environment for

programs which is essentially identical with the original machine.

More specifically, a program K executing with a CP resident performs in a manner indistinguishable from the case when CP does not exist.

Exceptions to Equivalence PropertyTiming

◦Because of the occasional intervention of CP, certain instruction sequences in K may take longer to execute.

Resource availability◦The allocator does not satisfy a

request to attempt to change relocation register (R).

Virtual MachineThe environment which any

program sees when running with a virtual machine monitor present is called a virtual machine (VM).

It is composed of the original real machine and the VMM.

Third Generation ComputerA third generation

computer consists of the following operations:◦Relocation

mechanisms◦Supervisor/user

mode◦Trap mechanisms

Third Generation Computer

Theorem 1: For any conventional third generation computer, a virtual machine monitor may be constructed if the set of

sensitive instructions for that computer is a subset of the set of privileged instructions.

Set of Machine StatesC: The set of machine statesCv: The set of states for which

the VMM is present in memoryCr: The set of states of the real

machine without a VMM

Set of Instruction SequencesI is the set of instruction

sequences, where each instruction sequence en(S1)=ij…k(S1)=S2 has n instructions.

Virtual Machine MapA virtual machine map

(VM map) f:Cr → Cv is a one-one homomorphism with respect to all the operators ei in the instruction sequence I.

Intuitively, for any state Si ϵ Cr and any instruction sequence ei, there exists an instruction sequence ei´ such that f(ei(Si)=ei´(f(Si)).

Virtual Machine MapProperties

◦Mathematical existence of a particular mapping from the states of the real machine to the virtual machine system.

◦Actual existence of instruction sequences ei´ on the Cv domain that correspond to the sequences ei on the Cr domain.

Virtual Machine MapEssentially identical

effect◦Two machines are

started, one in state S1, the other in state S1´=f(S1)

◦VMM is equivalent to the real machine iff for any state S1, if the real machine halts in state S2; then the VM halts in state S2´=f(S2)

A Demonstration of a VM Map

Assumptions◦Control program occupies the first k

locations of physical memory◦VM occupies next w locations◦f(E, M, P, R)=(E´, M´, P´, R´), where

S=<E, M, P, R> is the machine without a VMM present

A Demonstration of a VM MapVM map

◦E´[i+k]= E[i], for i = 0, w – 1◦E´[i] = the control program, for i = 2 to k – 1◦E´[i] = <m´, p´, r´>, where m´ = supervisor p´ = first location of the control program r´ = (0, q-1)

◦E´[0] = <m, p, r> as last set by trap handler◦M´ = u (user)◦P´ = p◦R´ = (l+k, b), where R = (l, b)

Recursive Virtualization

Intuitively, a machine is recursively virtualizable, if1. The virtual machine system can run under itself a

copy of the VMM so that the copy exhibits all the properties of VMM.

2. Procedure 1 can be repeated until the resources of the system are consumed.

Theorem 2: A conventional third generation computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for

it.

Recursive VirtualizationA VMM is guaranteed to produce an environment

in which a large class of programs run with effect identical to that on the real machine.

The performance of the VMM running on the real machine and under other VMMs will be indistinguishable.

J. Smith, et al.,Virtual Machines: Versatile Platforms for Systems and Processes

Hybrid Virtual MachinesVery few third generation

architectures are virtualizable.The definition of third generation

architecture has been relaxed to more general, but less efficient form that is labeled as hybrid virtual machine (HVM) system.

More instructions are interpreted rather than being directly executed in HVM.

Hybrid Virtual MachinesAn instruction i is said to be user

sensitive if there exists a state S=<E, u, P, R> for which i is control sensitive or behavior sensitive.

User sensitivity is only applicable in user mode.

Intuitively, the user sensitive instructions are the instructions that cause difficulty when executed from user mode.

Hybrid Virtual MachinesAn instruction i is said to be

supervisor sensitive if there exists a state S=<E, s, P, R> for which i is control sensitive or behavior sensitive.

Supervisor sensitivity is only applicable in supervisor mode.

Hybrid Virtual Machines

VM and HVM are identical except that all instructions in virtual supervisor mode will be interpreted in HVM.

Theorem 3: A hybrid virtual machine monitor may be constructed for any

conventional third generation machine in which the set of user sensitive instructions

are a subset of the set of privileged instructions.

ConclusionFormal model of a third generation

computer has been developed.Necessary and sufficient conditions

have been derived to determine whether a third generation machine can support VMM.

I/O resources and instructions, asynchronous events, or more complex memory mapping schemes can be added as straight-forward extensions to the basic model.

Reference[1] G. Popek, R. Goldberg, “Formal

requirements for virtualizable third generation architectures”, Commun. ACM, vol. 17, pp. 412-421, 1974.